key change for TCP-MD5
Richard A Steenbergen
ras at e-gerbil.net
Tue Jun 20 23:29:39 UTC 2006
On Tue, Jun 20, 2006 at 05:06:27PM -0400, Ross Callon wrote:
>
> DoS against routers is of course a major concern. Using
> encryption has the potential of making DoS worse, in the
> sense that the amount of processing that a bogus packet
> can cause is increased by the amount of processing
> needed to check the authentication. If the router needs to
> check multiple keys in the keychain before declaring the
> segment as invalid, then this multiplies the effect of the
> DOS by the number of keys that need to be checked.
I'd still like someone to explain why we're wasting man hours, CPU time,
filling up our router logs, and potentially making DoS easier, for an
attack that doesn't exist. After that, I'd like them to explain why we
need to devote more resources to protecting against the attack that
already doesn't exist, and that is already protected against just fine
even if it were to exist.
Of course any not completely insane implementation should be checking for
a valid TCP window range (or an existing TCB for that matter) before
wasting CPU time on an MD5 calculation. It's just not possible in reality
for any sufficiently large number of packets to get through those check to
then be affected by an MD5 DoS (unless of course you're peering with 7018,
and the NSA has an extra copy of your packets laying around).
We already collectively wasted our time deploying MD5 passwords over a big
scare that turned out to be nothing more than someone cracking open the
manual and rediscovering how stuff worked all along. Why don't we spend
our time going forward solving actual issues like filtering/announcement
authentication, and stop trying to solve the non-existant problems.
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the NANOG
mailing list